isogeny graphs in cryptography
play

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, - PowerPoint PPT Presentation

Oct 18, 2023 •414 likes •1.87k views

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

  1. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  2. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  3. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  4. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  5. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  6. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  7. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  8. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  9. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  10. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  11. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  12. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  13. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  14. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  15. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  16. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  17. Homotheties Two lattices are homothetic if a there exist ☛ ✷ ❈ such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  18. Homotheties Two lattices are homothetic if a there exist ☛ ✷ ❈ such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 12 / 75

  19. The j -invariant We want to classify complex lattices/tori up to homothety. Eisenstein series Let ✄ be a complex lattice. For any integer k ❃ 0 define ❳ ✦ � 2 k ✿ G 2 k ✭✄✮ ❂ ✦ ✷ ✄ ♥❢ 0 ❣ Also set g 2 ✭✄✮ ❂ 60 G 4 ✭✄✮ ❀ g 3 ✭✄✮ ❂ 140 G 6 ✭✄✮ ✿ Modular j -invariant Let ✄ be a complex lattice, the modular j -invariant is g 2 ✭✄✮ 3 j ✭✄✮ ❂ 1728 g 2 ✭✄✮ 3 � 27 g 3 ✭✄✮ 2 ✿ Two lattices ✄ ❀ ✄ ✵ are homothetic if and only if j ✭✄✮ ❂ j ✭✄ ✵ ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 13 / 75

  20. Elliptic curves over ❈ Weierstrass ⑥ function Let ✄ be a complex lattice, the Weierstrass ⑥ function associated to ✄ is the series ⑥ ✭ z ❀ ✄✮ ❂ 1 ✒ ✭ z � ✦ ✮ 2 � 1 1 ✓ ❳ z 2 ✰ ✿ ✦ 2 ✦ ✷ ✄ ♥❢ 0 ❣ Fix a lattice ✄ , then ⑥ and its derivative ⑥ ✵ are elliptic functions: ⑥ ✵ ✭ z ✰ ✦ ✮ ❂ ⑥ ✵ ✭ z ✮ ⑥ ✭ z ✰ ✦ ✮ ❂ ⑥ ✭ z ✮ ❀ for all ✦ ✷ ✄ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 14 / 75

  21. Uniformization theorem Let ✄ be a complex lattice. The curve E ✿ y 2 ❂ 4 x 3 � g 2 ✭✄✮ x � g 3 ✭✄✮ is an elliptic curve over ❈ . The map ❈ ❂ ✄ ✦ E ✭ ❈ ✮ ❀ 0 ✼✦ ✭ 0 ✿ 1 ✿ 0 ✮ ❀ z ✼✦ ✭ ⑥ ✭ z ✮ ✿ ⑥ ✵ ✭ z ✮ ✿ 1 ✮ is an isomorphism of Riemann surfaces and a group morphism. Conversely, for any elliptic curve E ✿ y 2 ❂ x 3 ✰ ax ✰ b there is a unique complex lattice ✄ such that g 2 ✭✄✮ ❂ � 4 a ❀ g 3 ✭✄✮ ❂ � 4 b ✿ Moreover j ✭✄✮ ❂ j ✭ E ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 15 / 75

  22. ❬ ❪ ❬ ❪ Multiplication a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 16 / 75

  23. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 16 / 75

  24. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 16 / 75

  25. Torsion subgroups The ❵ -torsion subgroup is made up by the points ✒ i ✦ 1 ❵ ❀ j ✦ 2 ✓ ❵ It is a group of rank two E ❬ ❵ ❪ ❂ ❤ a ❀ b ✐ b ✬ ✭ ❩ ❂❵ ❩ ✮ 2 a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 17 / 75

  26. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 18 / 75

  27. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 18 / 75

  28. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 18 / 75

  29. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 18 / 75

  30. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 18 / 75

  31. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 and is homothetic to the b multiplication by ❵ p map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 18 / 75

  32. Isogenies: back to algebra Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p . k ✭ E ✮ is the field of all rational functions from E to k ; ✣ ✄ k ✭ E ✵ ✮ is the subfield of k ✭ E ✮ defined as ✣ ✄ k ✭ E ✵ ✮ ❂ ❢ f ✍ ✣ ❥ f ✷ k ✭ E ✵ ✮ ❣ ✿ Degree, separability The degree of ✣ is ❞❡❣ ✣ ❂ ❬ k ✭ E ✮ ✿ ✣ ✄ k ✭ E ✵ ✮❪ . It is always finite. 1 ✣ is said to be separable, inseparable, or purely inseparable if the 2 extension of function fields is. If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . 3 If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p . 4 Any isogeny can be decomposed as a product of a separable and a 5 purely inseparable isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 19 / 75

  33. Isogenies: back to algebra Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p . k ✭ E ✮ is the field of all rational functions from E to k ; ✣ ✄ k ✭ E ✵ ✮ is the subfield of k ✭ E ✮ defined as ✣ ✄ k ✭ E ✵ ✮ ❂ ❢ f ✍ ✣ ❥ f ✷ k ✭ E ✵ ✮ ❣ ✿ Degree, separability The degree of ✣ is ❞❡❣ ✣ ❂ ❬ k ✭ E ✮ ✿ ✣ ✄ k ✭ E ✵ ✮❪ . It is always finite. 1 ✣ is said to be separable, inseparable, or purely inseparable if the 2 extension of function fields is. If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . 3 If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p . 4 Any isogeny can be decomposed as a product of a separable and a 5 purely inseparable isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 19 / 75

  34. Isogenies: separable vs inseparable Purely inseparable isogenies Examples: The Frobenius endomorphism is purely inseparable of degree q . All purely inseparable maps in characteristic p are of the form ✭ X ✿ Y ✿ Z ✮ ✼✦ ✭ X p e ✿ Y p e ✿ Z p e ✮ . Separable isogenies Let E be an elliptic curve, and let G be a finite subgroup of E . There are a unique elliptic curve E ✵ and a unique separable isogeny ✣ , such that ❦❡r ✣ ❂ G and ✣ ✿ E ✦ E ✵ . The curve E ✵ is called the quotient of E by G and is denoted by E ❂ G . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 20 / 75

  35. The dual isogeny Let ✣ ✿ E ✦ E ✵ be an isogeny of degree m . There is a unique isogeny ✣ ✿ E ✵ ✦ E such that ❫ ❫ ✣ ✍ ❫ ✣ ✍ ✣ ❂ ❬ m ❪ E ❀ ✣ ❂ ❬ m ❪ E ✵ ✿ ❫ ✣ is called the dual isogeny of ✣ ; it has the following properties: ❫ ✣ is defined over k if and only if ✣ is; 1 ❬ ✥ for any isogeny ✥ ✿ E ✵ ✦ E ✵✵ ; ✥ ✍ ✣ ❂ ❫ ✣ ✍ ❫ 2 ❭ ✥ ✰ ✣ ❂ ❫ ✥ ✰ ❫ ✣ for any isogeny ✥ ✿ E ✦ E ✵ ; 3 ❞❡❣ ✣ ❂ ❞❡❣ ❫ ✣ ; 4 ❫ ❫ ✣ ❂ ✣ . 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 21 / 75

  36. Algebras, orders A quadratic imaginary number field is an extension of ◗ of the form ♣ � D ❪ for some non-square D ❃ 0 . Q ❬ A quaternion algebra is an algebra of the form ◗ ✰ ☛ ◗ ✰ ☞ ◗ ✰ ☛☞ ◗ , where the generators satisfy the relations ☛ 2 ❀ ☞ 2 ✷ ◗ ❀ ☛ 2 ❁ 0 ❀ ☞ 2 ❁ 0 ❀ ☞☛ ❂ � ☛☞✿ Orders Let K be a finitely generated ◗ -algebra. An order ❖ ✚ K is a subring of K that is a finitely generated ❩ -module of maximal dimension. An order that is not contained in any other order of K is called a maximal order. Examples: ❩ is the only order contained in ◗ , ❩ ❬ i ❪ is the only maximal order of ◗ ❬ i ❪ , ♣ ♣ 5 ❪ is a non-maximal order of ◗ ❬ 5 ❪ , ❩ ❬ The ring of integers of a number field is its only maximal order, In general, maximal orders in quaternion algebras are not unique. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 22 / 75

  37. The endomorphism ring The endomorphism ring ❊♥❞✭ E ✮ of an elliptic curve E is the ring of all isogenies E ✦ E (plus the null map) with addition and composition. Theorem (Deuring) Let E be an elliptic curve defined over a field k of characteristic p . ❊♥❞✭ E ✮ is isomorphic to one of the following: ❩ , only if p ❂ 0 E is ordinary. An order ❖ in a quadratic imaginary field: E is ordinary with complex multiplication by ❖ . Only if p ❃ 0 , a maximal order in a quaternion algebra a : E is supersingular. a (ramified at p and ✶ ) Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 23 / 75

  38. The finite field case Theorem (Hasse) Let E be defined over a finite field. Its Frobenius endomorphism ✙ satisfies a quadratic equation ✙ 2 � t ✙ ✰ q ❂ 0 in ❊♥❞✭ E ✮ for some ❥ t ❥ ✔ 2 ♣ q , called the trace of ✙ . The trace t is coprime to q if and only if E is ordinary. Suppose E is ordinary, then D ✙ ❂ t 2 � 4 q ❁ 0 is the discriminant of ❩ ❬ ✙ ❪ . K ❂ ◗ ❬ ✙ ❪ ❂ ◗ ❬ ♣ D ✙ ❪ is the endomorphism algebra of E . Denote by ❖ K its ring of integers, then ❩ ✻ ❂ ❩ ❬ ✙ ❪ ✚ ❊♥❞✭ E ✮ ✚ ❖ K ✿ In the supersingular case, ✙ may or may not be in ❩ , depending on q . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 24 / 75

  39. Endomorphism rings of ordinary curves Classifying quadratic orders Let K be a quadratic number field, and let ❖ K be its ring of integers. Any order ❖ ✚ K can be written as ❖ ❂ ❩ ✰ f ❖ K for an integer f , called the conductor of ❖ , denoted by ❬ ❖ k ✿ ❖ ❪ . If d K is the discriminant of K , the discriminant of ❖ is f 2 d K . If ❖ ❀ ❖ ✵ are two orders with discriminants d ❀ d ✵ , then ❖ ✚ ❖ ✵ iff d ✵ ❥ d . ❖ K ❩ ✰ 2 ❖ K ❩ ✰ 3 ❖ K ❩ ✰ 5 ❖ K ❩ ✰ 6 ❖ K ❩ ✰ 10 ❖ K ❩ ✰ 15 ❖ K ❩ ❬ ✙ ❪ ✬ ❩ ✰ 30 ❖ K Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 25 / 75

  40. Isogeny volcanoes Serre-Tate theorem reloaded Two elliptic curves E ❀ E ✵ defined over a finite field are isogenous iff their endomorphism algebras ❊♥❞✭ E ✮ ✡ ◗ and ❊♥❞✭ E ✵ ✮ ✡ ◗ are isomorphic. Isogeny graphs Vertices are curves up to isomorphism, Edges are isogenies up to isomorphism. Isogeny volcanoes Curves are ordinary, Isogenies all have degree a prime ❵ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 26 / 75

  41. Volcanology I Let E ❀ E ✵ be curves with respective if ❖ ❂ ❖ ✵ , ✣ is horizontal; endomorphism rings ❖ ❀ ❖ ✵ . if ❬ ❖ ✵ ✿ ❖ ❪ ❂ ❵ , ✣ is ascending; Let ✣ ✿ E ✦ E ✵ be an isogeny of if ❬ ❖ ✿ ❖ ✵ ❪ ❂ ❵ , ✣ is descending. prime degree ❵ , then: ❊♥❞✭ E ✮ ❖ K ❩ ❬ ✙ ❪ Isogeny volcano of degree ❵ ❂ 3 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 27 / 75

  42. ✿ ❩ ❬ ✙ ❪❪✮ ❂ ❵ ✭❬ ❖ Volcanology II ❊♥❞✭ E ✮ ❖ K ❩ ❬ ✙ ❪ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 28 / 75

  43. Volcanology II ❊♥❞✭ E ✮ ❖ K Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . ❩ ❬ ✙ ❪ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 28 / 75

  44. Volcanology II ❊♥❞✭ E ✮ ❖ K Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . How large is the crater? ❩ ❬ ✙ ❪ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 28 / 75

  45. The class group ♣ Let ❊♥❞✭ E ✮ ❂ ❖ ✚ ◗ ✭ � D ✮ . Define ■ ✭ ❖ ✮ , the group of invertible fractional ideals, P ✭ ❖ ✮ , the group of principal ideals, The class group The class group of ❖ is ❈❧✭ ❖ ✮ ❂ ■ ✭ ❖ ✮ ❂ P ✭ O ✮ ✿ It is a finite abelian group. Its order h ✭ ❖ ✮ is called the class number of ❖ . ♣ It arises as the Galois group of an abelian extension of ◗ ✭ � D ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 29 / 75

  46. Complex multiplication The a -torsion Let a ✚ ❖ be an (integral invertible) ideal of ❖ ; Let E ❬ a ❪ be the subgroup of E annihilated by a : E ❬ a ❪ ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ ❀ Let ✣ ✿ E ✦ E a , where E a ❂ E ❂ E ❬ a ❪ . Then ❊♥❞✭ E a ✮ ❂ ❖ (i.e., ✣ is horizontal). Theorem (Complex multiplication) The action on the set of elliptic curves with complex multiplication by ❖ defined by a ✄ j ✭ E ✮ ❂ j ✭ E a ✮ factors through ❈❧✭ ❖ ✮ , is faithful and transitive. Corollary ✏ ✑ D Let ❊♥❞✭ E ✮ have discriminant D . Assume that ❂ 1 , then E is on a ❵ crater of an ❵ -volcano, and the crater contains h ✭❊♥❞✭ E ✮✮ curves. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 30 / 75

  47. Supersingular graphs Every supersingular curve is defined over ❋ p 2 . For every maximal order type of the quaternion algebra ◗ p ❀ ✶ there are 1 or 2 curves over ❋ p 2 having endomorphism ring isomorphic to it. There is a unique isogeny class of supersingular curves over ✖ ❋ p of size ✘ p ❂ 12 . Lef ideals act on the set of maximal orders like isogenies. Figure: 3 -isogeny graph on ❋ 97 2 . The graph of ❵ -isogenies is ✭ ❵ ✰ 1 ✮ -regular. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 31 / 75

  48. Overview Foundations 1 Elliptic curves Isogenies Complex multiplication Isogeny-based cryptography 2 Isogeny walks Key exchange from ordinary graphs Key exchange from supersingular graphs The SIKE submission Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 32 / 75

  49. Isogeny graphs Vertices are curves up to isomorphism, Edges are isogenies up to isomorphism. Ordinary case ❵ -isogeny graphs form volcanoes. The height of the volcano is given by the conductor of ❩ ❬ ✙ ❪ . All curves on the same level have the same endomorphism ring (have complex multiplication by the same order ❖ ). ✏ ✑ Type of summit (one curve, two curves, crater) determined by D . ❵ Size of the crater is h ✭ ❖ ✮ , and ❈❧✭ ❖ ✮ acts on it. Supersingular case There are ✘ p ❂ 12 supersingular j -invariants, all defined over ❋ p 2 . ❵ -isogeny graphs are ✭ ❵ ✰ 1 ✮ -regular and connected. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 33 / 75

  50. Graphs lexicon Degree: Number of (outgoing/ingoing) edges. k -regular: All vertices have degree k . Connected: There is a path between any two vertices. Distance: The length of the shortest path between two vertices. Diamater: The longest distance between two vertices. ✕ 1 ✕ ✁ ✁ ✁ ✕ ✕ n : The (ordered) eigenvalues of the adjacency matrix. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 34 / 75

  51. Expander graphs Proposition If G is a k -regular graph, its largest and smallest eigenvalues satisfy k ❂ ✕ 1 ✕ ✕ n ✕ � k ✿ Expander families An infinite family of connected k -regular graphs on n vertices is an expander family if there exists an ✎ ❃ 0 such that all non-trivial eigenvalues satisfy ❥ ✕ ❥ ✔ ✭ 1 � ✎ ✮ k for n large enough. Expander graphs have short diameter ( O ✭❧♦❣ n ✮ ); Random walks mix rapidly (afer O ✭❧♦❣ n ✮ steps, the induced distribution on the vertices is close to uniform). Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 35 / 75

  52. Expander graphs from isogenies Theorem (Pizer 1990, 1998) Let ❵ be fixed. The family of graphs of supersingular curves over ❋ p 2 with ❵ -isogenies, as p ✦ ✶ , is an expander family a . a Even better, it has the Ramanujan property. In the ordinary case, for all primes ❵ ✲ t 2 � 4 q : ✏ ✑ 50% of ❵ -isogeny graphs are isolated points, D K ❂ � 1 ❵ ✏ ✑ D K 50% of ❵ -isogeny graphs are cycles. ❂ ✰ 1 ❵ Theorem (Jao, Miller, and Venkatesan 2009) ♣ Let ❖ ✚ ◗ ❬ � D ❪ be an order in a quadratic imaginary field. The graphs of all curves over ❋ q with complex multiplication by ❖ , with isogenies of prime degree bounded a by ✭❧♦❣ q ✮ 2 ✰ ✍ , are expanders. a May contain traces of GRH. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 36 / 75

  53. Isogeny based cryptography is 20 years old! 1996 Couveignes suggests isogeny-based key-exchange at a seminar in École Normale Supérieure; 1997 He submits “Hard Homogeneous Spaces” to Crypto; Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 37 / 75

  54. Isogeny based cryptography is 20 years old! 1996 Couveignes suggests isogeny-based key-exchange at a seminar in École Normale Supérieure; 1997 He submits “Hard Homogeneous Spaces” to Crypto; 1997 His paper gets rejected; Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 37 / 75

  55. Isogeny based cryptography is 20 years old! 1996 Couveignes suggests isogeny-based key-exchange at a seminar in École Normale Supérieure; 1997 He submits “Hard Homogeneous Spaces” to Crypto; 1997 His paper gets rejected; 1997–2006 ...Nothing happens for about 10 years. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 37 / 75

  56. Isogeny based cryptography is 20 years old! 1996 Couveignes suggests isogeny-based key-exchange at a seminar in École Normale Supérieure; 1997 He submits “Hard Homogeneous Spaces” to Crypto; 1997 His paper gets rejected; 1997–2006 ...Nothing happens for about 10 years. Ok. Let’s move on to the next 10 years! Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 37 / 75

  57. ✭★ ✮ ✭ ✮ ❡①♣✭❧♦❣ ★ ✮ Isogeny problems Isogeny computation Given an elliptic curve E with Frobenius endomorphism ✙ , and a subgroup G ✚ E such that ✙ ✭ G ✮ ❂ G , compute the rational fractions and the image curve of the separable isogeny ✣ ✿ E ✦ E ❂ G . Explicit isogeny Given two elliptic curves E ❀ E ✵ over a finite field, isogenous of known degree d , find an isogeny ✣ ✿ E ✦ E ✵ of degree d . Isogeny walk Given two elliptic curves E ❀ E ✵ over a finite field k , such that ★ E ❂ ★ E ✵ , find an isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 38 / 75

  58. ✭ ✮ ❡①♣✭❧♦❣ ★ ✮ Isogeny problems Isogeny computation poly ✭★ G ✮ Given an elliptic curve E with Frobenius endomorphism ✙ , and a subgroup G ✚ E such that ✙ ✭ G ✮ ❂ G , compute the rational fractions and the image curve of the separable isogeny ✣ ✿ E ✦ E ❂ G . Explicit isogeny Given two elliptic curves E ❀ E ✵ over a finite field, isogenous of known degree d , find an isogeny ✣ ✿ E ✦ E ✵ of degree d . Isogeny walk Given two elliptic curves E ❀ E ✵ over a finite field k , such that ★ E ❂ ★ E ✵ , find an isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 38 / 75

  59. ❡①♣✭❧♦❣ ★ ✮ Isogeny problems Isogeny computation poly ✭★ G ✮ Given an elliptic curve E with Frobenius endomorphism ✙ , and a subgroup G ✚ E such that ✙ ✭ G ✮ ❂ G , compute the rational fractions and the image curve of the separable isogeny ✣ ✿ E ✦ E ❂ G . Explicit isogeny poly ✭ d ✮ Given two elliptic curves E ❀ E ✵ over a finite field, isogenous of known degree d , find an isogeny ✣ ✿ E ✦ E ✵ of degree d . Isogeny walk Given two elliptic curves E ❀ E ✵ over a finite field k , such that ★ E ❂ ★ E ✵ , find an isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 38 / 75

  60. Isogeny problems Isogeny computation poly ✭★ G ✮ Given an elliptic curve E with Frobenius endomorphism ✙ , and a subgroup G ✚ E such that ✙ ✭ G ✮ ❂ G , compute the rational fractions and the image curve of the separable isogeny ✣ ✿ E ✦ E ❂ G . Explicit isogeny poly ✭ d ✮ Given two elliptic curves E ❀ E ✵ over a finite field, isogenous of known degree d , find an isogeny ✣ ✿ E ✦ E ✵ of degree d . Isogeny walk ❡①♣✭❧♦❣ ★ k ✮ Given two elliptic curves E ❀ E ✵ over a finite field k , such that ★ E ❂ ★ E ✵ , find an isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 38 / 75

  61. Isogeny walks and cryptanalysis 2 (circa 2000) Fact: Having a weak DLP is not (always) isogeny invariant. strong curve weak curve E ✵ E E ✵✵ Fourth root attacks Start two random walks from the two curves and wait for a collision. Over ❋ q , the average size of an isogeny class is h ✭ ❖ K ✮ ✘ ♣ q . 1 A collision is expected afer O ✭ ♣ 4 ✮ steps. h ✭ ❖ K ✮✮ ❂ O ✭ q Note: Can be used to build trapdoor systems 1 . 1 Teske 2006. 2 Galbraith 1999; Galbraith, Hess, and Smart 2002; Bisson and Sutherland 2011. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 39 / 75

  62. Random walks and hash functions (circa 2006) Any expander graph gives rise to a hash function. 1 1 1 1 1 1 v ✵ H ✭ 010101 ✮ ❂ v ✵ v 0 0 0 0 0 0 Fix a starting vertex v ; The value to be hashed determines a random path to v ✵ ; v ✵ is the hash. Provably secure hash functions Use the expander graph of supersingular 2 -isogenies; a Collision resistance = hardness of finding cycles in the graph; Preimage resistance = hardness of finding a path from v to v ✵ . a Charles, K. E. Lauter, and Goren 2009; Doliskani, Pereira, and Barreto 2017. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 40 / 75

  63. Random walks and key exchange Let’s try something harder... Public v 0 0 0 1 1 0 0 0 1 1 0 1 1 0 0 1 0 1 0 1 1 Alice’s public v A Bob’s public v B 0 0 1 1 0 0 0 1 0 1 1 1 0 0 1 0 1 0 1 1 Shared secret ...is this even possible? Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 41 / 75

  64. ✭ ❩ ❂ ❩ ✮ ✂ ✚ � ✚ ✭ ❀ ♥ ❢ ❣ ✮ ✼✦ ✼✦ ✼✦ Expander graphs from groups Let G ❂ ❤ g ✐ be a cyclic g 8 group of order p . g 3 g 4 g 6 g 2 g 12 g 1 g 11 g 7 g 9 g 10 g 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 42 / 75

  65. ✭ ❩ ❂ ❩ ✮ ✂ ✚ � ✚ ✭ ❀ ♥ ❢ ❣ ✮ ✼✦ ✼✦ Expander graphs from groups Let G ❂ ❤ g ✐ be a cyclic g 8 group of order p . g 3 g 4 g 6 g 2 g 12 g 1 x ✼✦ x 2 g 11 g 7 g 9 g 10 g 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 42 / 75

  66. ✭ ❩ ❂ ❩ ✮ ✂ ✚ � ✚ ✭ ❀ ♥ ❢ ❣ ✮ ✼✦ Expander graphs from groups Let G ❂ ❤ g ✐ be a cyclic g 8 group of order p . g 3 g 4 g 6 g 2 g 12 g 1 x ✼✦ x 2 x ✼✦ x 3 g 11 g 7 g 9 g 10 g 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 42 / 75

  67. ✭ ❩ ❂ ❩ ✮ ✂ ✚ � ✚ ✭ ❀ ♥ ❢ ❣ ✮ Expander graphs from groups Let G ❂ ❤ g ✐ be a cyclic g 8 group of order p . g 3 g 4 g 6 g 2 g 12 g 1 x ✼✦ x 2 x ✼✦ x 3 g 11 g 7 x ✼✦ x 5 g 9 g 10 g 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 42 / 75

  68. Expander graphs from groups Let G ❂ ❤ g ✐ be a cyclic g 8 group of order p . Let g 3 g 4 ✭ ❩ ❂ p ❩ ✮ ✂ s.t. ✚ S S � 1 ✚ S . g 6 g 2 The Schreier graph of ✭ S ❀ G ♥ ❢ 1 ❣ ✮ is (usually) an expander. g 12 g 1 x ✼✦ x 2 x ✼✦ x 3 g 11 g 7 x ✼✦ x 5 g 9 g 10 g 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 42 / 75

  69. ❂ ✿ ✦ ✭❧♦❣ ✮ Key exchange from Schreier graphs Public parameters: A group G ❂ ❤ g ✐ of order p ; A subset S ✚ ✭ ❩ ❂ p ❩ ✮ ✂ . g Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 43 / 75

  70. ❂ Key exchange from Schreier graphs Public parameters: g A A group G ❂ ❤ g ✐ of order p ; A subset S ✚ ✭ ❩ ❂ p ❩ ✮ ✂ . Alice takes a secret random 1 walk s A ✿ g ✦ g A of length O ✭❧♦❣ p ✮ ; g Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 43 / 75

  71. ❂ Key exchange from Schreier graphs Public parameters: g A A group G ❂ ❤ g ✐ of order p ; A subset S ✚ ✭ ❩ ❂ p ❩ ✮ ✂ . Alice takes a secret random 1 walk s A ✿ g ✦ g A of length O ✭❧♦❣ p ✮ ; g B g Bob does the same; 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 43 / 75

  72. ❂ Key exchange from Schreier graphs Public parameters: g A A group G ❂ ❤ g ✐ of order p ; A subset S ✚ ✭ ❩ ❂ p ❩ ✮ ✂ . Alice takes a secret random 1 walk s A ✿ g ✦ g A of length O ✭❧♦❣ p ✮ ; g B g Bob does the same; 2 They publish g A and g B ; 3 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 19–23, 2018 — Post-Scryptum 43 / 75

Recommend

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

ERNEST HUNTER DIMITAR BENJAMIN BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION TO ISOGENY GRAPHS

770 views • 63 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chlo Martindale, Damien Robert Isogenies on elliptic curves Abelian

598 views • 44 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel Deyts Universit Paris Saclay UVSQ Dec 14, 2018, UVSQ, Versailles Elliptic curves Let E y 2 x 3 ax b be an elliptic curve...

1.02k views • 85 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5 fvrier 2013 Sorina Ionica 1 / 35 Cryptographic motivation We need an abelian variety of small dimension (i.e. 1,2) defined over F q s.t. # A ( F q

833 views • 35 slides
Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Universit Paris Saclay 2 cole normale suprieure, Paris 3 Inria and cole polytechnique, Universit Paris Saclay 4 Inria

882 views • 74 slides

More recommend